Without finalizing the draft premarket guidance, FDA has turned its attention to postmarket cybersecurity, likely because as the draft guidance states “cybersecurity risks to medical devices are continually evolving.” Thus, to comprehensively protect devices against cybersecurity threats, FDA believes that manufacturers must assess cybersecurity during design and development and during postmarket surveillance.

Like the draft premarket guidance, which was picked up by the Wall Street Journal, the draft postmarket guidance was also the focus of a Wall Street Journal article just after it was released. Two-and-a-half years after issuance of the draft premarket cybersecurity guidance, Wall Street and investors are still interested in the cybersecurity of medical devices, but what does this new guidance mean for industry? A lot. FDA expects manufacturers to implement a comprehensive cybersecurity program throughout the entire device life cycle (pre- and postmarket).

The draft guidance recommends that manufacturers engage in what it calls “good cyber hygiene,” performing “routine device cyber maintenance, assessing postmarket information, employing a risk-based approach to characterizing vulnerabilities, and timely implementation of necessary actions can further mitigate emerging cybersecurity risks and reduce the impact to patients.” The guidance also encourages manufacturers to comply with the voluntary NIST standard, “Framework for Improving Critical Infrastructure Cybersecurity,” and participate in an Information Sharing Analysis Organization (ISAO), such as the National Health Information Sharing & Analysis Center, with which CDRH has entered into a Memorandum of Understanding. The draft guidance provides an appendix with additional details regarding the recommended elements of a comprehensive cybersecurity program.

The draft guidance emphasizes that in order to effectively mitigate cybersecurity risks the manufacturer should have a risk management program that incorporates both premarket and postmarket phases. The risk management program should use a tool that is appropriate for scoring and rating cybersecurity vulnerabilities such as the “Common Vulnerability Scoring System,” and it should have a process for assessing the potential health impact (e.g., ISO 14971). The end result should be a conclusion as to whether each cybersecurity risk is controlled (i.e., “sufficiently low (acceptable) residual risk”) or uncontrolled (i.e., “unacceptable residual risk that the device’s essential clinical performance could be compromised”). If a risk is deemed to be uncontrolled, FDA expects that additional risk control measures will be applied. The draft guidance provides examples of both controlled and uncontrolled risks.

The draft guidance states “for the majority of cases, actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered ‘cybersecurity routine updates or patches,’ for which the FDA does not require advance notification or reporting under 21 CFR part 806.” The guidance indicates that a “routine update or patch” is one that is intended to “increase device security and/or remediate vulnerabilities associated with controlled risk” and does not affect a software’s “essential clinical performance.” Essential clinical performance is defined by the guidance as “performance that is necessary to achieve freedom from unacceptable clinical risk.” Interestingly, FDA’s final guidance regarding distinguishing a recall from a product enhancement (which we previously posted on here) did not acknowledge that companies making routine updates or patches to address known vulnerabilities with acceptable (low) levels of risk in its software would not require reporting under Part 806. Although the guidance speaks directly to cybersecurity vulnerabilities, we expect – or at least would like to think – this line of reasoning would also be applied to other known vulnerabilities with acceptably low levels of risk at the time of software release.

With regard to PMA devices, changes made to mitigate cybersecurity vulnerabilities should be reported in periodic annual reports to FDA. The draft guidance provides suggested content for such reports.

One key question left to be answered is how FDA will enforce this draft guidance. Unlike the draft premarket guidance where FDA can review a device’s cybersecurity information during 510(k) or PMA review, the postmarket guidance merely sets out recommendations for new and existing devices once they are on the market. FDA will be left to enforce these recommendations during device facility inspections. The draft guidance appears to imply that a failure to comply with the guidance would be violation of the Quality System Regulation (QSR). The draft guidance states “it is essential that manufacturers implement comprehensive cybersecurity risk management programs and documentation consistent with the Quality System Regulation (21 CFR part 820), including but not limited to complaint handling (21 CFR 820.198), quality audit (21 CFR 820.22), corrective and preventive action (21 CFR 820.100), software validation and risk analysis (21 CFR 820.30(g)) and servicing (21 CFR 820.200).” While we do not expect to see this guidance cited in any FDA Form 483 observations – or at least not in the short term – it is likely that investigators will at some point start looking for the elements described in this guidance when they inspect device manufacturer’s quality systems.